V. Conclusion

Is there any reason to think that privacy self-regulation will work today when it did not work in the past? Privacy self-regulation done in the same way that it has been done in the past, without sufficient consumer participation, and with the same goals of simply evading real regulation and effective privacy controls will continue to fail.

What should be done if privacy self-regulation cannot succeed is beyond the scope of this report. This report does not advocate for regulation or against improved self-regulation. The point is that there is no reason to believe that this time will be different when it comes to privacy self- regulation done in ways that have been proved to lead to failure. New approaches are needed if the goal is to offer consumer valuable, effective, and balanced privacy protections that last.

What is at stake: Implications for current privacy self-regulatory efforts

If privacy self-regulation today is constructed in the same way as in the past, will it fail in the same way as before? Questions abound. Should self-regulation cover website advertisers? Internet service providers? Data brokers? Social networking sites? Companies using location information? Apps providers? All websites? Defining the Internet universe is daunting, and even within slices of that universe, definitions and boundaries will be difficult to establish. The past history of even the best-intentioned of self-regulatory efforts shows how quickly policy can be outdated by industry and Internet developments.

The web is changing too rapidly to expect that any given form of traditional industry-supported privacy self-regulation will make sense in a year or two. Companies track the activities of individuals today in ways that were not contemplated even a year or two ago. Companies often have no reason to expose to public view their data processing functions for definition or measurement lest they reveal a marketplace advantage.

In most areas of online activity that involve personal information, the number of companies is unknown and highly variable. To determine the penetration of self-regulation coverage, there has to be both a known, demonstrable denominator of companies that fall within the self-regulatory scheme and a numerator of those companies that are participating in the scheme. Without this basic information, there is no real way to measure the penetration of privacy self-regulation. For example, if a list of Internet advertising companies exists at all, that list will go out of date almost immediately. Thus, it is difficult to determine what percentage of the defined universe has agreed to any specific self-regulatory scheme. Even if it were possible to calculate these numbers for past privacy self-regulatory activities, the penetration would likely be low and highly variable over time.

Measuring activity though another measure (rather than the number of companies) would probably require access to information that industry would argue to be proprietary. Thus, it is harder than ever to even make basic judgments about the scope and effect of any industry- supported privacy self-regulation.

There is more at stake financially today. Revenues from personal data activities are huge. If a self-regulatory scheme had any real effect on revenues or profits, those who stayed out of the scheme could profit at the expense of those who participated. It is hard to see how a race to the bottom effect would be avoided. Still, because there are so many companies and so much money involved in the Internet space, only a small percentage of companies need to participate in a privacy self-regulatory scheme to provide an impressive amount of resources that will make the self-regulation look better than it is. Millions for show, but pennies for substance.

A poorly designed privacy self-regulation scheme that has limited market penetration and insufficient enforcement may be good enough to fool potential regulators once again. Industry is well aware that a little will go a long way for public relations purposes. Industry knows that it only needs to keep a self-regulatory program alive for a limited period. Current debates about privacy self-regulation do not place the burden on industry to prove how proposed self- regulatory privacy programs are going to be substantively different than past efforts, at least in public view.

The Federal Trade Commission has no effective means of issuing privacy regulations because of current limits on its statutory authority. This is a structural problem that essentially compels the agency to look favorably at self-regulation because it has no alternative to offer. The FTC can always recommend legislation, but it is not clear that an FTC recommendation will be influential, that privacy legislation can pass the Congress, or that the FTC can manage to support any legislative recommendation.

Privacy self-regulation as supported by industry today suffers from the same lack of tension as in the past. Without meaningful, independent participation (e.g., by privacy and consumer advocates) in the development and oversight of privacy self-regulation, the self-regulatory standards and enforcement will be just as insufficient as they were in the past. Industry-financed oversight will not succeed because industry does not want it to be effective. For-profit privacy standards will not succeed because the pressure for profits overwhelms the efforts of would-be enforcers.

Privacy self-regulation cannot be meaningful if companies are free to drop out of any self- regulatory scheme at will or to join a different self-regulatory scheme that has weaker standards. Would-be self-regulators are not likely to sue former members. Privacy commitments typically come with a caveat that they can be changed at will at any time without notice. For-profit companies overseeing privacy standards will not be likely to discipline paying members effectively lest they lose revenues or deter participation from new players.

The threat of Federal Trade Commission action is loudly touted by self-regulators as an effective enforcement method. Reliance on Commission enforcement of self-regulation is a challenge, as industry knows that the Commission does not have the resources to enforce a self-regulation scheme covering hundreds or thousands of companies.

This is the case notwithstanding the absence of meaningful Commission activity against those who ignored or discontinued privacy self-regulation. How can the Commission take action against an industry-supported self-regulatory program that has lost all industry support?

The history lesson here poses challenges to the present efforts for codes of conduct or self- regulation. Self-regulation, done in the same ways as it has been done in the past, is not a hopeful way forward. However, the history lesson is not without hope. This report notes key factors that have been salient in the self-regulatory failures. These factors need to be studied and avoided. This report also notes factors that might lay groundwork for success, gleaned from observation of what has not worked. No matter what, one thing is quite certain: there is no need to repeat the past again.

What Could Improve the Process?

It is not the primary purpose of this report to put forward a set of criteria for a meaningful and effective privacy self-regulatory regime. However, it is clear from past experience that some approaches are more likely to produce more positive results and some are not likely to result in a change from the past. In looking at past challenges to success (lack of membership, short duration, no consumer representation, etc.) we are able to set out some basic qualities needed for improvement.

Tension in the Process

Successful privacy self-regulation requires standards responsive to the actual problems, robust policies, meaningful enforcement, and effective remedies. Privacy self-regulation of industry, by industry, and for industry will not succeed. Tension in self-regulation can be provided by a defined and permanent role for consumers who are the intended beneficiaries of privacy protection. Government may also be able to play a role, but government cannot be relied upon as the sole overseer of the process. The past has shown that the interest of the FTC waxed and waned with the political cycle, and the Department of Commerce did not provide sufficient oversight.

Scope

The scope of a self-regulatory regime must be clearly defined at the start. It must apply to a reasonable segment of industry, and it must attract a reasonable percentage of the industry as participants. There must be a method to assess the penetration of the self-regulatory regime in the defined industry.

Fair Information Practices

Any self-regulatory regime should be based on Fair Information Practices (FIPs). Implementation of FIPs will vary with the industry and circumstances, but all elements of FIPs should be addressed in some reasonable fashion.

Open Public Process

The development of basic policies and enforcement methods should take place to a reasonable degree in a public process open to every relevant perspective. The process for development of privacy self-regulatory standards should have a reasonable degree of openness, and there should be a full opportunity for public comment before any material decisions become permanent. Consumers must be able to select their own representatives. Neither government nor those who are to be regulated should select consumer participants – the selection should be up to the consumers.

Independence

The organization that operates a privacy self-regulatory system needs to have some independence from those who are subject to the self-regulation. Those who commit to comply with privacy self-regulation must make a public commitment to comply for a term of years and a financial commitment for that entire period.

Benchmarks

Past self-regulatory efforts and codes of conduct lack benchmarks for success. What constitutes success? Is it membership? Market share? Is it actual enforcement of the program? Without specific benchmarks for a privacy program, it is much more difficult to gauge success in real- time. Without the ability to accurately assess activities within a current program, both success and failure are more difficult to ascertain and may only be gleaned in hindsight.

*****

A Note on Methods

This historical review of privacy self-regulation is based on an extensive literature review, both online and offline, and includes information that was publicly available. This report covers the leading self-regulatory efforts. Some self-regulatory efforts may have disappeared without leaving a public record. Also, privacy seal programs arose during the period of this review, but some disappeared entirely and none developed sufficient credibility or public recognition to warrant investigation in this report beyond those noted in the report. Some activities within existing trade associations are difficult or impossible to assess from evidence available to those outside the associations.

This new WPF report finds that medical identity theft is still a crime that causes great harms to its victims, and that it is growing overall in the United States; however, there’s a catch. The national consumer complaint data suggests that the crime is growing at different rates in different states and regions of the US, creating medical identity theft “hotspots.” These hotspots are important for patients, policymakers, and healthcare stakeholders to know about so as to address potential risks.

WPF has conducted original research on India's Aadhaar, a national biometric ID system, including field research in India during 2010-2014. WPF has published the original research in a peer-reviewed journal, Nature-Springer, and in Harvard-based Journal of Technology Science. The research found that systemic challenges to data protection and privacy exist in the Aadhaar system, challenges which do have potential remedies. Key lessons can be learned for both the US and the EU as biometric systems grow in popularity.